No More Ransom? Activism Won’t Prevent Ransomware.

Post Meta

The European Cybercrime Centre (EC3) of Europol, the European law enforcement agency, is driving a new public/private initiative that, according to the Washington Post, “may offer a glimmer of hope for victims” of ransomware.

No More Ransom, is the campaign’s motto. As nice as that would be, I think the slogan and the site promote a false sense of security.

The new initiative’s goal is to help victims of ransomware retrieve their encrypted data without having to pay the criminals. For that purpose, the No More Ransom site offers a selection of decryption tools developed by IT security professionals to unlock the files that have been taken hostage by the extortionists.

Sure, raising the level of threat awareness about this scourge certainly cannot hurt. And the tools offered on the No More Ransom website may even help a few users regain access to their encrypted data, without paying a ransom to criminals.

A “few” users being the watchword here. This is not a serious approach to combatting ransomware. It amounts to a capitulation, in my view.

To me, this looks like putting on your helmet after you’ve had the crash. The “helmet” here being a secure browser, which would protect the user against allweb-borne threats - including, but not limited to, ransomware - from the get-go.

Here’s what I’m getting at: Regular (non-secure) browsers have become the primary attack vector for ransomware attacks because they fetch code from the web and process it on the local computer.This opens the door for ransomware to infiltrate individual computers, spread through enterprise networks, and start encrypting data. To the user, it’s just a simple click on a link. To the browser, it’s a command to execute a payload.

The local browser’s security weakness, made worse over the years by exploits of Flash, Java and other add-ons, is as old as the web (and ransomware, btw).

What’s new is that sophisticated “Ransomware-as-a-Service” distribution tools now enable criminals to exploit this vulnerability of the local browser on an industrial scale - as outlined in the Cisco report. And that’s just the beginning:

“On the horizon: faster and more effective

propagation methods that maximize the impact of

ransomware campaigns and increase the probability

that adversaries will generate significant revenue.”

With a grim outlook like this, the “solutions” suggested on the No More Ransom site seem even more questionable to me.

Three reasons why No More Ransom remains an empty promise

The extortionists already have a steady and widening stream of ransomware profits to reinvest. It won’t take long before they move on to encrypting files with methods for which the No More Ransom decryption tools are no match.

The resulting encryption / decryption arms race doesn’t address or solve the underlying issue. Instead, just like traditional antivirus software, the No More Ransomware model will perpetuate the scheme, with the bad guys always a step ahead.

Here’s one answer: A study presented at this year’s Network and Distributed System Security Symposium found that all AV products examined by the researchers make accessing the web less secure.

On its website, the No More Ransom campaign concedes that “it is much easier to avoid the threat than to fight against it once the system is affected.”

So why rely on a historically disproven remedy?

Instead, let’s remove the primary attack vector - the browser - from the local computer. Only a secure browser that insulates the local computing device and network from the web, by processing all content in a secure container in the cloud, will protect users against ransomware web exploits - including (future) ones not covered by the No More Ransom website.

I suggest checking out Silo, the secure browser developed by Authentic8. Silo is used by a rapidly growing number leading financial institutions, law firms, healthcare providers and federal agencies.

Through an encrypted connection, only the display of the web session gets through to the user - essentially, pixels instead of code. At the same time, Silo provides the same rich web and webmail experience like local browsers, but with perfect insulation from the bad stuff.

So even if users click the wrong link when accessing the internet: with Silo, no more ransomware worries.

Instead of empty activism and hoping for the best after the fact, let’s aim for prevention. “No More Ransom” sounds good, but does little to consolate the (future) victims who won’t be helped by the decryption keys offered on the site.